Browser-based attacks are becoming one of the major security threats Web users are exposed to. For example, such attacks may be carried out by exploiting vulnerabilities in legitimate websites, impersonating legitimate websites to steal users' confidential information, exploiting vulnerabilities in web browsers, etc.
As an example of a browser-based attack, Cross-Site Scripting (XSS) is one of the most common vulnerabilities found in Web applications. A vulnerable website may propagate malicious JavaScript code into a webpage due to the lack of proper input validation on the server's side. The malicious code, now coming from the website, gains the privilege of the domain of the website. For instance, it may read the cookie set by the website and send it to an attacker.
As another example of a browser-based attack, phishing attacks trick users into visiting phishing sites (e.g., malicious websites that impersonate legitimate websites). Such attacks typically work by copying information from the corresponding legitimate sites and presenting misleading identification information (e.g., contents in location and status bars) with JavaScript code.
Although browsers generally apply some common mechanisms such as the same-origin principle to limit the interaction between web contents from different domains, the protection provided is very coarse-grained. The two types of attacks described above can both be carried out without violating the same-origin principle. In addition, browsers may sometimes have exploitable vulnerabilities due to implementation flaws.
Recent research applies code instrumentation to address browser vulnerabilities, as described in BrowserShield: Vulnerability-Driven Filtering of Dynamic HTML, by Charlie Reis, John Dunagan, Helen J. Wang, Opher Dubrovsky and Saher Esmeir, published in OSDI 2006. Such research, however, does not provide a policy construction framework for policy writers.
Code instrumentation has also been applied to enforce various security policies for Java programs, as described in Composing security policies with Polymer, by Lujo Bauer, Jay Ligatti and David Walker, published in PLDI 2005. This approach provides a policy framework which supports the composition of security policies. However, the techniques are not applicable to Web contents written in HTML and JavaScript, mainly because JavaScript is a dynamic language and environment. When instrumenting Java programs, only methods need to be monitored, which cannot be altered once defined. In contrast, in Web contents written in HTML and JavaScript, many different syntactic categories need to be monitored for sufficient policy enforcement, and new contents (not available statically) can be generated at runtime through higher-order script and reflection.